Oracle Security Consulting Services

PeteFinnigan.com Limited offer a variety of Oracle Security based consulting services. These Oracle Security services are highlighted in this page. Separate detail pages for each service are
also available. Each service is detailed and can be customised or tailored to your own needs

Detailed Oracle Security Audit Service

PeteFinnigan.com Limited's Oracle database IT security health check service has been designed by Pete Finnigan, an expert with years of real world experience in auditing
and securing, designing and hardening customers Oracle databases. Pete is also well known for writing and presenting extensively in the area of Oracle security.

Our audit service is very detailed and in-depth and is "conducted by hand". This audit is one of the most detailed security audits of an Oracle database available anywhere.

We offer a number of types of "quick" Oracle security audits that can be tailored to fit most requirements. A quick audit can be performed when more detail is known of the
target systems and a security policy already exists. Our audit can be created to match your Oracle database security policy so is much more subjective to you and your view of
what a secure Oracle database looks like for you. Alternately we can also do a quick top issues audit for you on one or any number of databases to give you an initial view
of the state of your Oracle security so that more detailed audits or actions can be taken.

These audits can be performed on-site or remotely. We can provide you with tools that you will run yourself and then provide us with the output to analyse for you OR we
can come to your site and run the tools ourselves.

If you have had an Oracle database security audit performed against one or more of your databases either by PeteFinnigan.com Limited or another organisation or you have simply run
or had run commercial tools internally or checked a few issues by hand coded queries perhaps based on a checklist such as the CIS benchmark then the next steps are:

Decide on severity / risk / timescale / budget.

Review the Oracle database security audit or health check report and decide what to fix.

Our Oracle database health check service is aimed at reviewing the "correctness" of your Oracle databases in terms of users, error, space, data design where appropriate
and much more. The health check includes some basic Oracle security checks but focuses on the main health and stability of the database. The health check is run on your site
using our custom tools either by our consultants or we can provide tools for your to run and then give us the output to analyse for you.

Over the years we have helped many companies implement and design and prototype various Oracle Security designs and solutions to help their applications, databases and business
implement custom Oracle security or granular or context based security of user access, data, privileges and more. We have helped customers design and use implementations of Oracle
Virtual Private Database (VPD), Oracle Label Security (OLS), Oracle Database Vault, Oracle Encryption, Oracle Transparent Database Encryption, Advanced Security and many more. We
have also implemented custom solutions using custom settings and PL/SQL based software.

We can help you evaluate any of the Oracle Security options available from Oracle or from Third Parties or even help you design in-house custom Oracle Security solutions.

One of the first things that you should do to your Oracle databases in terms of Oracle Security controls is to implement an Oracle database audit trail. Without a robust audit
trail we cannot know who accesses your database, when, how and more. The database engine is complex and there are many ways to achieve the same actions so having a comprehensive audit
trail is a must. Oracle offer Oracle Audit Vault and Database Firewall and we can help specify and configure these tools. We can also help specify and configure any of the third party audit
and monitoring solutions available at this time

Most importantly we have created a toolkit called PFCLATK that can be used to implement centralised audit trails. PFCLATK is declarative and policy driven and includes many pre-created
policies and events. This toolkit takes the complexity out of using the core database audit settings and allows us to help customers focus on policy and events.

If you have a specific Oracle database security policy or you include Oracle database specific controls in a more generic security policy then we can help you review that policy and
controls to make it more robust for the modern world where data theft and loss is rising. Alternately if you do not currently have any Oracle security specific controls or policy we
can help you design your own policy.

This policy should form the basis of "what" a secure Oracle database looks like for you and it should "feed into" all efforts to secure and lock down all of your Oracle databases. We
have extensive experience helping customers create Oracle security policies for more than a decade.

Most databases contain some or often a lot of PL/SQL code that is either part of the business logic or applications or is part of database support and monitoring or even could
be part of database security solutions. Most often this code will include security vulnerabilities. These are not intentionally added but unless a robust secure coding regime exists then
these will be inevitable. This is born out by locating these types of secure code issues for many clients over many years either as part of secure code reviews or more generally as part
of a database security audit.

We have extensive experience not just of secure code syntax (i.e. how to not make your code vulnerable to attacks such as SQL Injection) but also of how that code is used and deployed
into the database in terms of design decisions, permissions, exposure and more. Pete Finnigan wrote some of the very first papers on SQL Injection in Oracle PL/SQL and SQL code in the very
early 2000's.

Our secure code review will help you locate vulnerable PL/SQL as well as review the context of the code (schema used / methods used / permissions etc) and also security of the code itself.

What if the worst happens? - What if your databases are hacked or your data is stolen and paraded on web sites such as Paste bin? This happens more and more often as criminals understand
that for them there is much less risk to enter a computer than to walk into a bank with a sawn off shotgun. Data theft and breach is no longer a "bragging rights" issue for kids in their teens
but is pure crime and big business for some.

If your Oracle database is breached we can help. We can help you understand how the perpetrators got in, what did they access and see or steal and worse what could they have done if they
had much more extensive Oracle skills.

We can also advise you in advance of a breach; help you audit databases, secure those databases and implement audit trails. More importantly we can help you define and put in place an
incident response process and team to quickly deal with any real or potential breach as soon as it happens; lessening any potential impact.

We have experience helping customers who came to us after a breach in terms of performing forensic analysis and also helping set up incident response teams. Further Pete Finnigan was the first
person in the world to publish anything related to Oracle Forensics when he created module 17 of the Original SANS Oracle Security 509 class in 2003 many years before any books or papers appeared
about Oracle forensics.

Data masking has an important part to play in allowing customers to safely use production quality data in non-production environments such as test or development. Data Masking is possible
with Oracle provided products, third party products such as Delphix or PC based tools such as DataMasker from Net 2000 Ltd or even home grown scripted solutions. We have extensive experience helping
our customers choose the right products and approach and also helping configure and develop suitable solutions

We are ideally placed to help you specify and implement data masking of your own.

Other Oracle Security Services

PeteFinnigan.com Limited is ideally placed to help with some or all of these elements. We offer tailored services in these areas.

Don't worry, if you do not see here the service you require but if it is related to the security of your data then we can help.
Please contact us at info@petefinnigan.com in the first instance.

Partner With Us?

Any company who feels that they could offer complimentary services to PeteFinnigan.com Limited's own services and would like to become a partner for PeteFinnigan.com Limited to offer
their services in the UK should contact info@petefinnigan.com in the first instance. Also any company who would like to offer some of
PeteFinnigan.com Limited's services in another country should also contact info@petefinnigan.com to discuss partnering with us.

PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database,
design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

For any more information about our Oracle Security services or or our products to help you secure your Oracle database or our
expert Oracle Security training please call us now on +44 7759 277220 or contact us by email at info@petefinnigan.com